What issues have you encountered this year while recruiting cyber talent, if any?

Security & GRCTalent Sourcing & Hiring

Lack of formal qualifications8%

Lack of available talent54%

Lack of experience17%

Unwillingness to relocate6%

Lack of specific tool/software expertise2%

Unrealistic salary expectations8%

None of the above3%

600 PARTICIPANTS
3.5k viewscircle icon1 Upvotecircle icon1 Comment
Sort by:
Senior Information Security Manager in Software4 years ago

When it comes to IT in general, and information security specifically, much of the so-called ‘talent shortage’ is due to companies that do not want to pay for talent.

They offer low-ball salaries/consulting rates and then complain they can’t find people.

 

https://engineering.tapad.com/the-fallacy-of-the-information-security-skill-shortage-c1214122e6c0

Content you might like

Do you have a lock out policy for system accounts? If so, how many attempts do you have it set too? 

Have you considered not having a lock out policy where accounts are vaulted / rotated & standing access is removed?

As part of our NYSE IPO prep, we’re debating how to communicate our system hardening efforts in regulatory disclosures (e.g., SEC Form 20-F, SFC).

Would you recommend sharing % compliance (e.g., “85% CIS Tier 2”) or sticking to qualitative descriptions of how we identify and mitigate risks? Also, do SFC/ISO 27001 expectations require full ISMS integration, or is a % model acceptable?

It's been announced that Windows 11 will be serviced on a monthly basis, similar to Windows 10's infamous "Patch Tuesdays". What's the ideal service cadence for this OS?

Updates should be released daily.6%

Updates should be released weekly61%

Updates should stay monthly.22%

Updates should be pushed quarterly.9%

Other (comment below)

View Results

What was the impact of the last successful phishing attack on your organization?

Loss of Data10%

Ransomware Infection38%

Credential/account compromise20%

Financial loss/wire transfer fraud2%

Other (comment below)29%

View Results

We’re preparing for an IPO on the NYSE as a Foreign Private Issuer and evaluating CIS Benchmarks to measure OS and database hardening.

Our proposed tiers:
• Tier 1 (70–80%) baseline
• Tier 2 (85–90%) for sensitive data
• Tier 3 (95–100%) for mission-critical systems

Is 80% compliance defensible for IPO due diligence with SEC or SFC? Should Tier 3 be considered mandatory for critical systems? And can compensating controls (e.g., PAM, microsegmentation) offset gaps in legacy environments?

What issues have you encountered this year while recruiting cyber talent, if any? | Gartner Peer Community